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Abstract. According to Strachey, a polymorphic program is parametric if it applies a 
uniform algorithm independently of the type instantiations at which it is applied. The 
notion of relational parametricity, introduced by Reynolds, is one possible mathematical 
formulation of this idea. Relational parametricity provides a powerful tool for establishing 
data abstraction properties, proving equivalences of datatypes, and establishing equali- 
ties of programs. Such properties have been well studied in a pure functional setting. 
Many programs, however, exhibit computational effects, and are not accounted for by 
the standard theory of relational parametricity. In this paper, we develop a foundational 
framework for extending the notion of relational parametricity to programming languages 
with effects. 



The theory of relational parametricity, proposed by Reynolds [32], provides a power- 
ful framework for establishing properties of polymorphic programs and their types. Such 
properties include the "theorems for free" of Wadler [41J, universal properties for datatype 
encodings, and representation independence properties for abstract datatypes. These re- 
sults are well established, see e.g. [29], for the pure Girard/Reynolds second-order A-calculus 
(a.k.a. system F) which provides a concise yet remarkably powerful calculus of typed total 
functions. 

The generalisation of relational parametricity to richer calculi can be problematic. Even 
the addition of recursion (hence nontermination) causes difficulties, since the fixed-point 
property of recursion is incompatible with certain consequences of relational parametricity 
as usually formulatedO This issue led Plotkin [28] to propose using second-order linear type 
theory as a framework for combining parametricity and recursion, an idea which has since 
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been developed in an operational setting in [3] and in a denotational setting in [4J. One of 
the many good properties of the resulting theory of linear parametricity is that it supports 
a rich collection of polymorphic datatype encodings with the desired universal properties 
following from relational parametricity. 

The addition of recursion is just one possible extension of second-order A-calculus. In [9] , 
M. Hasegawa develops a syntactic account of relational parametricity for an orthogonal 
extension obtained by adding control operators (such an extension was first introduced 
by Parigot ^24j for proof-theoretic purposes). An intriguing fact he observes is that, even 
though the technical frameworks for the two approaches are quite different, there are striking 
analogies between his "focal" parametricity and Plotkin's linear parametricity. Accordingly, 
Hasegawa poses the question of whether it is possible to find a unifying framework for 
relational parametricity that includes both his work and Plotkin's linear parametricity as 
special cases. 

In this paper we provide a general theory of relational parametricity for computational 
effects, which answers Hasegawa's question in the affirmative. Not only does our approach 
generalise both Plotkin's and Hasegawa's, but it also applies across the full range of com- 
putational effects (e.g., nondeterminism, probabilistic choice, input/output, side effects, 
exceptions, etc.). 

We build on the work of Moggi [221 [23], who proposed incorporating effects into type 
theory by adding a new type constructor for typing "computations" rather than values. For 
every type B, one has a new type ! B (our non-standard notation is justified in Section [5]) 
whose elements represent computations that (potentially) return values in B, and which 
(possibly) perform effects along the way. Semantically, ! is interpreted using a computational 
monad that encapsulates the relevant kinds of effect. 

In order to obtain an account of relational parametricity for monads, one needs to 
solve a problem. Basic to relational parametricity is the idea of treating types as rela- 
tions. Polymorphic functions are required to preserve derived relations under all possible 
instantiations of relations to type variables. To extend this to computational effects it is 
necessary to determine how the operation ! determines a relation IRC ! A x ! B from any 
relation C A x B. That is, one needs a "relational lifting" of the ! operation. The lit- 
erature contains two approaches to defining such a relational lifting for ! [HI [T3] (although 
neither is presented in the context of polymorphism). Rather than choosing between these 
approaches, we instead side-step the issue in a surprising way: we show that, given the 
right choice of underlying type theory, ! is polymorphically definable in terms of more basic 
primitives whose relational interpretations are immediately apparent. 

Our type theory, which we call PE, is presented in Section [2j It is closely related to 
Levy's system of call by push-value ( CBPV) [15j, which subsumes call-by-name and call-by- 
value calculi with effects. Levy, following the lead of Filinski [5], emphasises the importance 
of having two general classes of types: value types, which classify "values" , and computation 
types, which classify "computations". The intuitive difference between the two is that "a 
value is" and "a computation does". Technically, this intuition is supported by the vast 
range of semantic and operational interpretations of the framework, see |15] . 

With general computation types at hand, one can give the ! constructor the following 
polymorphic definition: 

! B =def VX. (B ^ X) ^ X {X not free in B), (1.1) 
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where importantly the type variable X ranges over computation types only. As we shall 
see, the type constructors used in the definition all have natural relational interpretations, 
and hence the defined ! operation inherits an induced relational lifting. 

In order to reason about parametricity in PE, we build a relationally parametric model 
of our calculus. Even in the case of ordinary second-order A-calculus, the construction of 
parametric models is a nontrivial task. In our case, the interaction between value and 
computation types contributes significant additional complexity. To keep things as simple 
as possible, we work with a set-theoretic model, exploiting the fact that it is consistent to 
do so if one keeps to intuitionistic reasoning. The details are presented in Sections [3] and [H 
As a first application of the model, we prove in Section [5] that the ! operator, as defined 
by (jl.ip above, does indeed enjoy its expected universal property (Theorem 15. 2p . 

In Section [71 we consider how to specialise the generic calculus PE to specific effects of 
interest. One useful form of specialisation recurs in many examples. It is common for effects 
to have associated operations that trigger and/or react to "effectful" behaviour. Typically, 
one would like to give an n-ary such operation the polymorphic type: 

VX (IX)" ^ \X . (1.2) 

For example, a binary nondeterministic choice operation forms a computation by choosing 
between two possible continuation computations. Also, the "handle" operation for an ex- 
ception e, can be viewed as a binary operation where handle^ (p,g) behaves like p unless p 
raises exception e, in which case q is executed. Since such operations are computed in a 
type-independent way, they are "parametric" in the informal sense of Strachey. We show 
that such operations are also parametric according to our theory of relational parametricity. 
This involves two technical developments, each of interest in its own right. The first relates 
to recent work by Plotkin and Power ^31j, in which they observe that many operations on 
effects are "algebraic operations" in the sense of universal algebra. As Theorem 17. H we 
obtain that n-ary algebraic operations are in one-to-one correspondence with (parametric) 
elements of type: 

MX. X" ^ X , (1.3) 

where again X ranges over computation types. Thus algebraic operations can be incorpo- 
rated within PE as constants of the above type (which is more informative than (jl.2p . since 
monadic types ! B are always computation types). 

Not all useful operations on effects arise as algebraic operations; e.g., exception handling 
is a counterexample. However, exception handling can be added to PE using a different 
strengthening of (II. 2p for its type: 

VX {\Xf \X . (1.4) 

This is indeed a strengthening of p.2p because the lollipop can be understood as restricting 
the full function space to a subclass of "linear" (in a sense to be explained in the sequel) 
functions. This correctness of the above typing is again based on a general result (The- 
orem 17. 2p which characterises the (parametric) elements of the above type in terms of a 
naturality condition. 

In Section El we outline the relationship between PE and other approaches to para- 
metricity and effects. Plotkin's linear parametricity arises as a specialisation of PE valid in 
the special case of "commutative" monads. We also briefiy discuss how Hasegawa's account 
of parametricity and control arises as a specialisation of PE. The details for this appear 
in a companion paper [20]. Finally, in Section [H we discuss how the theory established in 
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r,x:B|Aht:C r|Ahs:B^C r|-ht:B 

T,x:B\- h x:B r |A h \x:B.t: B^C F |A h s{t): C 

r I A h t: B r |A h VX B 

X ftv(r, A) 



T \A h AX.t-.yX.B r |A h t(A): B[A/X] 

T\x:Aht:B r|-hs:A^B r|Aht:A 



r\x:Ahx:A r [ - h A°x : A. t : A ^ B r|Ahs(t):B 
r I A h t: B r I A h t: VX. B 

X ftv(r, A) 



r I A h AX. t : VX. B ~ T | A h t{A) : B[A/X] 

Figure 1: Typing rules. 

this paper might be apphed to derive operational properties of polymorphic languages with 
effects. 

2. A POLYMORPHIC CALCULUS 

We start by defining the type theory PE for polymorphism and effects. As discussed in 
the introduction, following [15], PE contains both value types A, B, C, . . . and computation 
types A, B, C, . . . . A central feature of our type theory is that we allow polymorphic type 
quantification over both value types and computation types. Accordingly, we use X,Y, Z, . . . 
to range over a countable set of value-type variables, and X, y , Z, . . . to range over a disjoint 
countable set of computation-type variables. Value types and computation types are then 
mutually defined by: 

A ::= X I B ^ C I VX. B I X I VX. B I A ^ B 

A ::= B ^ A I VX. A I X I VX. A 

Note that the computation types form a subcollection of the value types. The intuition 
here is that any (active) computation has a corresponding (static) value, its "thunk". In 
contrast to [15], we make this passage from computations to values syntactically invisible. 

For semantic intuition, one can think of value types as representing sets, and of com- 
putation types as representing Eilenberg-Moore algebras for some computational monad on 
sets. Then B ^ C is the set of all functions. The special case B — > A is a computation type 
because algebras are closed under powers, with the algebra structure defined pointwise. The 
type A ^ B represents the set of all algebra homomorphisms from A to B. In general, there 
is no natural algebra structure on this set, hence the type A — o B is not a computation 
type. Finally VX. B and VX. B are polymorphic types, with the polymorphism ranging over 
value types and computation types respectively. In either case, when B is a computation 
type, the polymorphic type is again a computation type. This is justified by Proposition 14. II 
below. 

Our types, which are based on function spaces and polymorphism, are not directly 
comparable with Levy's [15], which include sums and products. Nonetheless, we shall see in 
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Section [8] that we can encode Levy's calculus within ours. Given this, our calculus extends 
Levy's with polymorphic types (cf. [15^ §12.4]) and linear function types. The latter have a 
particularly nice explanation in terms of Levy's stack-based operational framework, within 
which a value of type A ^ B can be understood as a stack turning a computation of type 
A into a computation of type B, cf. [16]. In our system, linear function types will be used 
crucially in the computation-type encodings of Section [HI 

Having computation types as special value types allows us to base our type system on 
a single judgement form: 

r |A h t: B , 

where F and A are disjoint contexts of variable typings subject to the following conditions: 
either (i) A is empty, or (ii) B is a computation type and A has the form x : A, where A is 
also a computation type. Thus the context A, which, following jSllTj, we call the stoup of 
the typing judgement, contains at most one typing assertion. When we want to be explicit 
about which of (i) or (ii) applies, we write: 

(i) r I - h t: B 

(ii) r [ X : A K t : B . 

In the first case, the intuitive interpretation of t is as an arbitrary function from the product 
of all types in F to the type B. In the second case, the interpretation of t is as a function 
from F X A to B that is an algebra homomorphism in its right-hand argument (i.e., for every 
fixed set of values for the F variables, the induced function from A to B is a homomorphism). 
From this interpretation, one sees why the stoup is restricted to computation types, and 
also why, when the stoup is nonempty, the result type is required to be a computation type. 

The type system is presented in Figured) The side conditions refer to the set ftv(F) of 
free type variables in a context F, which is defined in the obvious way. Of course, the type 
rules are restricted to apply only when the premises satisfy the conditions on judgements 
imposed above. In such cases, the rule conclusions also satisfy these conditions. 

The following simple lemmata state basic properties of the type system. 

Lemma 2.1 (Unicity of types). For any F,A,t there is at most one type B such that 
F I A h t: B. 

Lemma 2.2 (Substitution). 

(1) //F, x: A I A h t: B and F | - h s: A then F | A h t[s/x]: B. 

(2) IfT \ x:Ah t:Bandr\A h s: A then F |A h t[s/x]: B. 

Proof. Both statements are proved by induction over the depth of the typing derivation for t. 
For example, consider the second statement in the case oft = u u', where F|a;:AI-u:C— >B 
and F I — (- u': C. In this case {uu')[s/x] = u[s/x]u' and by induction hypothesis 
F |A h u[s/x]: C ^ B, so F |A h u[s/x]u': B. □ 

It is immediate that the type system for value types extends the standard second-order 
A-calculus of Girard and Reynolds. Indeed, the typing rules for the relevant types {X, 
B — > C and \/X. B), when restricted to the case with empty stoup, are just the usual ones. 
It is well-known that the second-order A-calculus is powerful enough to encode many type 
constructors including products, sums, inductive and coinductive types. We include those 
definitions we shall need later in Figure [21 These encodings are all standard apart from 
the last one which is existential quantification over computation types. The introduction 
and elimination constructs for the definable value types are encoded in most cases as in the 
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Figure 2: Definable value types 



second-order A-calculus, but the presence of the stoup in PE means that in some cases a 
slight variation of these encodings must be used. A more detailed discussion of this issue 
appears in ^21, Sec. 4]. 

3. Semantic setting 

In the previous section, we appealed to semantic intuition by explaining value types as 
sets and computation types as algebras for a monad on sets. Unfortunately, this intuition 
runs into the technical problem that there are no set-theoretic models of polymorphism [33j. 
However, it was shown by Pitts [25J that set-theoretic models of polymorphism are possible 
if intuitionistic set theory is used rather than ordinary classical set theory. We shall exploit 
this by working with such an intuitionistic set-theoretic model. The advantage of this 
strategy is that the set-theoretic framework allows the development to concentrate entirely 
on the difficulties inherent in defining a suitable notion of relational parametricity, which are 
formidable in themselves, rather than on incidental details specific to a particular concrete 
model. Our approach results in no loss of generality. All denotational models of relational 
parametricity of which we are aware can be exhibited as full subcategories of models of 
intuitionistic set theory. 

The intuitionistic set theory we use in this paper is Friedman's Intuitionistic Zermelo- 
Fraenkel set theory (IZF), which is the established intuitionistic counterpart of classical 
Zermelo-Fraenkel set theory (ZF). The theory IZF is axiomatized over intuitionistic first- 
order logic with equality. The axioms of IZF are the usual axioms of classical ZF, except 
that Collection is taken as an axiom schema instead of Replacement, and Foundation is 
formulated as a principle of transfinite induction over the membership relation. One reason 
for assuming the Collection schema is that it is strictly stronger than Replacement under 
intuitionistic logic. The reformulation of Foundation is required because the usual versions 
of the axiom imply the Law of Excluded Middle (LEM), whence classical logic. (The Axiom 
of Choice also implies LEM, and so is not considered.) The naturalness of IZF is underlined 
by the existence of a wide range of Kripke, sheaf and realizability models. For a detailed 
summary of the axioms and properties of IZF, see Scedrov's survey article |36j . 

Henceforth in this paper, we use IZF as our mathematical meta-theory. To keep mat- 
ters readable, we work informally within IZF, just as in ordinary mathematical practice 
one works informally in ZF. This approach is deliberately chosen to avoid cluttering the 
mathematics of the arguments with the formalities of the metatheory. (Nevertheless, when 
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it is particularly helpful to do so, we shall occasionally remark on technical aspects of the 
formalization.) In fact, to the casual reader, it will not seem that much out of the ordinary 
is going on. Given the similarity between the axioms of ZF and IZF, reasoning within IZF 
feels very much like reasoning within classical ZF. Essentially, the only practical difference 
is that one has to adhere to the discipline of intuitionistic logic. The reader should try to 
be sensitive to this issue, because our adherence to intuitionistic logic is essential to the 
consistency of this paper. Nonetheless, since IZF is a subtheory of ZF, readers who are not 
familiar with the distinctions between intuitionistic and classical reasoning, should anyway 
be able to follow the mathematical development. Such readers will, however, have to place 
their trust in the authors that the reasoning principles of IZF are never violated. For anyone 
who wishes to learn more about reasoning in intuitionistic set theory, a good starting place 
is p. 

As is common in set-theoretic reasoning, we shall sometimes have to work with col- 
lections of sets that are too "large" to themselves form a set; that is, with proper classes. 
When working with IZF (as with classical ZF), classes are accommodated by taking them 
as being represented by formulas: a formula (p with distinguished free variable x represents 
the class {x \ </)}. In practice, it would be a nuisance to always have to work with concrete 
formulas Instead, we shall typically say: "let X be a class then . . . ", without specifying 
a particular formula (j) that represents X. Such reasoning can be understood schematically 
as being valid relative to any possible formula instantiating X (and, in practice, there may 
be several different concrete instantiations that satisfy all assumed properties of X). Al- 
ternatively, it is possible to view the development as taking place in an extension of the 
language of set theory with a new unary predicate for every assumed class. This latter 
viewpoint is slightly more general, since, in models, it allows classes to be collections other 
than those specified by formulas in the language of set theory. Such mild added generality 
is natural if one interprets our reasoning in the categorical models of IZF given by algebraic 
set theory [131 138j . where the category of classes is the primary category of interest, and 
class predicates can be interpreted as objects in such a category. Whichever viewpoint one 
takes on whether one thinks of the language as extended with class predicates or not, the 
underlying set theory remains "morally" unchanged, and we shall accordingly continue to 
refer to it as IZF. 

We now begin the technical development within IZF. As discussed above, value types 
will be modelled as sets. However, it is known that it is not possible to interpret types in the 
second-order A-calculus as arbitrary sets [26] . Thus we require a collection of special sets 
for interpreting types. Such special sets need to be closed under the set-theoretic operations 
used in the interpretation. Accordingly, we assume that we have a full subcategory C of the 
category Set of sets that satisfies: 

(CI): For any set-indexed family {A.i}i^i of sets in C, the set-theoretic product Hig/ 
again in C. 

(C2): Given A,B C and functions f,g: A ^ B, the equalizer {x E A | f{x) = g{x)} is 
again in C. 

In other words, the category C is small-complete with limits inherited from Set. Since 
function spaces are powers, for any set A and any B E C, the function space B^ is in C, 
i.e., C is an exponential ideal of Set. In particular, C is cartesian closed. In addition, we 
require: 
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(C3): There is a set C of objects of C such that, for any A G C, there exists i? G C with 
(C4): If A G C and ^ ^ 5 in Set then B €C. 

These two properties pull in opposite directions. Property (C3) requires that C enjoys a 
smallness constraint, which will be used to interpret polymorphism. Explicitly, (C3) says 
that C is weakly equivalent to its small full subcategory on the set of objects C. It is not, 
however, a small category itself, since (C4) forces C to have a proper class of objects. 

In classical set theory, conditions (CI) and (C3) together imply that every object in C 
is either the empty set or a singleton set (cf. Freyd's argument that a weakly small category 
with small products is a preorder, see [17, Proposition V.2.3]). The reason we work in IZF 
is that this renders it consistent for there to be a nontrivial category satisfying all of (CI)- 
(C4). Indeed, it is consistent for the natural numbers to be an object of C. This consistency 
property derives from the work of Hyland et. al. on small-complete small categories [101 [T2] . 
However, our perspective is slightly different. Rather than assuming a small category that 
is complete only in a restricted technical sense [12l [M] , our category C is assumed to be 
genuinely complete, but only weakly equivalent to a small category. This approach, which 
is taken from [35j, offers several conveniences. For example, it allows us to assume (C4), 
which, as well as being a natural repleteness condition on C, makes it easy to show that 
sets we have defined explicitly are actually in C. 

According to our informal explanation of computation types in Section [21 they can 
be interpreted as Eilenberg-Moore algebras for a monad T on C. For any such monad T, 
the category A of algebras comes with a forgetful functor U: A ^ C and the following 
properties are satisfied. 

(Al): U "weakly creates limits" in the following sense. For every diagram A in ^ and 
limiting cone lim(?7(A)) of f7(A) in C, there exists a specifiecO limiting cone lim A of A 
in A such that ?7(lim A) = lim(?7(A)). 

(A2): U reflects isomorphisms (i.e., if Uf is an isomorphism in C then / is an isomorphism 
in A). 

(A3): For objects A^B_ of A^ the hom-set A{A^B) is an object of C. 

(A4): There exists a set A of objects of A such that for every AG A, there exists B_£ A 
with B isomorphic to A. 

Lemma 3.1. Suppose C satisfies (C1)-(C4) and let T be a monad on C. Then the category 
A of Eilenberg-Moore algebras for T and the forgetful functor U : A ^ C satisfy (A1)-(A4)- 

Proof. Properties (Al) and (A2) are standard, indeed the forgetful functor creates limits, 
which implies (Al). Property (A3) holds because A{A,B_) arises as an equalizer in C of two 
evident functions {UB)^— — > (C/^)^^— . For property (A4) deflne 

A = {{A, i) \ Ag C, and ^ is an Eilenberg-Moore algebra structure on A}. 

□ 

The reason for identifying (A1)-(A4) is that, in order to interpret the calculus of Sec- 
tion [51 it is sufficient to work with any category A and functor U : A ^ C satisfying 
(A1)-(A4) above! Henceforth, we assume this situation. 

^By a specified limiting cone we mean that we are given a (class) function that maps any diagram A and 
hmiting cone for (7(A) to the required limiting cone in A. 

\n particular, the weakening of limit creation in (Al) is crucial to the application in [20| . 
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It is convenient to maintain algebraic terminology for the category A. Thus we call the 
objects of A algebras. By (Al) and (A2), the functor U is faithful, thus we can identify the 
morphisms A{A, B) with special functions from UA to UB^, which we call homomorphisms. 
We write A^B_ for the set of homomorphisms from A to 5. (N.B. by (A3) the set A^B_ 
is an object of C.) The notation A=°B_ means A, S are isomorphic in A. 

In Section S] we interpret the type theory of Section [2] using U: A ^ C. In doing so, 
we formulate relational parametricity using binary relations in the categories C and A. As 
usual, these are defined as subobjects of products. First, let us review some basic properties 
of subobjects in C and A. 

For every object A of C, we write Subc(A) for the set of subobjects of A in the category 
C. Since the inclusion C ^ Set preserves limits and hence monomorphisms, this is explicitly 
defined by: 

Subc(^) = {B eC\BCA}. 
We call the elements of Subc(^) the C-subsets of A. 

Similarly, we write Sub^(-A) for the collection of subobjects of an algebra A in A. 
Because U preserves limits, every mono S ^ ^ in ^ is mapped by f7 to a mono UB^ ^ UA 
in C. Thus, for every AG A, the functor U determines a function Sub_4(^) — > Suhc{UA). 
The lemma below shows that we can view subobjects of -A in ^ as special subobjects oi UA 
in C. 

Lemma 3.2. The function Sub^(-A) Suhc{UA) preserves and reflects the ordering. 

Proof. We show that it reflects the ordering. Suppose B_ ^ A and C_ ^ A represent 
subobjects of A such that the subobject represented hy UB_ ^ UA is smaller than that 
represented by UC_ ^ UA. Then there exists an / such that the square below is a pullback. 

/ 



UB 



uc 



(3.1) 



UB 

By (Al) there exists a pullback diagram 

B' - 



UA 



C 



6 6 

B o A, 

in A mapped by U to (|3.ip . and by (A2) the map B^ —o B_is an isomorphism, so B_ ^ A 
represents a smaller subobject than A. □ 

We say that A UA carries a subalgebra if it represents a subobject in the image of 
the map Sub^(A) — > Suhc{UA) induced by U. In fact, Sub^(-A) is given explicitly by: 

Sub_4(^) = {B € C\B CI UA and carries a subalgebra of A} . 

Axiom (Al) gives a way of picking representatives in A for subalgebras presented by 
subsets: 
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Lemma 3.3. For each A G Sub^(^) there is a specified algebra and mono f : A in 

A such that Uf is the inclusion of A into UA. 

Proof. Suppose A C UA carries a subalgebra of A. Then the set 

{iB,i) \ B£ A,i: A mono, Uii) ^ {A Q UA)} (3.2) 

where the last isomorphism is an isomorphism of subobjects, is non-empty. The set ()3.2p 
indexes a diagram in A, and ^ is a hmit in C of [7 apphed to this diagram. Now, (Al) gives 
the specified mono projecting to A C UA. □ 

We introduce notation for binary relations. For ^ G C, we write for the diagonal 
(identity) relation in Subc(^ x ^4). Similarly, for ^ € ^, we write A a for the diagonal rela- 
tion on UA, which is indeed in Sub_4(-AxA). For R € Subc(ylxi?), we write for its oppo- 
site relation in Subc(i? x A). Similarly, for Q G Sub^(A x^), we have (5°p G Sub^(S x A). 
For /: ^' ^ yl and 5: B' BinC, we write (/, 5r)"^i? for {(x,y) | {f{x),g{y)) £ R}. Notice 
that if / : ^' ^ ^, 5 : ^' ^ ^ in ^ and Q e Sub^(^ x B) then (/, g)~^Q G Sub^(A' x S'). 

To formulate relational parametricity, we require two specified collections of admissible 
relations, one TZc{A, B) C Subc(^ x B) on objects of C and one TIa^A^B) C Sub^(^ x B) 
on objects of A. These are required to satisfy: 

(Rl): For each object ^ of C the diagonal relation Aa is in lZc{A, A) and likewise for each 

object ^4 of .4 the diagonal is in TZa{A,A). 
(R2): Admissible relations are closed under reindexing, i.e., if G TZc{A, B) and f : A' ^ A, 

g: B' B, then if,g)~^R G TZc{A',B') and if Q G 7^^(A^) and f : A' A, 

g:B'^B, then {f,g)-'Q G 7e^(A',5') 
(R3): For any set of admissible C- (respectively ^-)relations on the same pair of objects, 

the intersection is an admissible C- (respectively ^-)relation. 
(R4): TlAiAB) C TZc{UA,UB). 

(Rl) and (R2) imply that graphs of functions are admissible, i.e., ii f: A — > B then 
(/) =dcf {{x,y) I fix) = y} £ nc{A,B) and if 5: 1 ^ ^ then {g) G 7^^(AS), for 
(/) = (/,idij)~^Aij and {g) = {gMB)'^AB- Note also that if £ A a.nd R (^U AxU B 
is any subset, then there exists a smallest admissible relation R° G 'R-AiA^S) containing R, 
as we may take R° to be the intersection of all admissible relations containing R. 

In many concrete models TZc{A, B) = Subc(^ x B) and 1Za{A,B) = Sub^(A x B) will 
be a natural choice of admissible relations. 

Lemma 3.4. If C satisfies (C1)-(C4) and U: A ^ C satisfies (A1)~(A4) then the collec- 
tions Tlc{A,B) = Subc(A X B) and TlAiA.B) = Sub^(A x B) satisfy (R1)-(R4). 

Proof. We just show that Sub_4(A, S) is closed under intersections. So suppose we are given 
a set (Qj)ig/ of subsets in SnhA{AjB_)- We need to show that the subset P|j Qi C UA x UB^ 
carries a subalgebra oi A^B_. Denote for each i £ I hy qi: Q'i^ A^B_ the mono in A above 
the inclusion Qi C UA x as specified by Lemma 13.31 Then the limit of the diagram 
given by the qi as weakly created by f7 is a subalgebra of ^ x ^ above Hj ^ C/A x UB_. □ 

By a parametric model of PE we shall mean any category C satisfying (C1)-(C4), 
together with a category A and functor U : A ^ C satisfying (A1)-(A4) and collections TZc 
and TZa satisfying (R1)-(R4) above. The proposition below shows that every monad on C 
gives rise to a parametric model of PE. Thus the theory of relational parametricity for PE 
that we shall develop over such models is applicable to arbitrary computational monads. 
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Proposition 3.5. Given C satisfying ( CI )-( C4 ) and a monad T on C, let A he the category 
of algebras for the monad, U the forgetful functor and define TZc{A, B) = Subc(A x B) and 
T^a{A^B) = Suby^(A X B^. This data defines a parametric model of PE. 

Proof. We have already argued above that (A1)-(A4) are satisfied, and (R1)-(R4) are 
satisfied by Lemma |3.4[ □ 

Notice that the assumption, familiar from the literature on computational monads |22[ 
[23], that the monad T is strong does not need to be included in the above result. This is 
for the simple reason that our set-theoretic setting renders all monads on C strong. For any 
monad T, one defines the strength t^^B ■ A x T{B) T{A x B) as 

tA,B{x,y) = T((x, -))(?/) 

where {x,—):B^AxB maps y to {x,y). Moreover, this strength is unique because C 
has enough points [23l Proposition 3.4]. 

Although Proposition 13 . 51 is a useful general result, we comment that some applications 
of PE require a different choice of model. For example, the application of PE to control 
in [20j makes crucial use of the permitted flexibility in the definition of model. Here, we 
briefly describe the steps taken in op. cit., in order to illustrate some of the variations of 
model construction available. The construction begins with a category C satisfying (Cl)- 
(C4), together with a chosen object R of C. For technical reasons (see below), the object R is 
used to isolate the full subcategory Cr of R-replete objects in C, in the sense of [H]. Next, A 
together with U are obtained by building ^ as a certain carefully defined category equivalent 
to Cr°^, and U as a functor naturally isomorphic to R^~\ This situation satisfies (Al)- 
(A4). The interesting cases are: (Al), which holds by the way A and U are constructed; 
and (A2), which holds because we restricted A to the i?-replete objects. Finally, whereas 
7lc{A,B) is defined to be Subc(j4 x B), it is necessary, for the application to parametricity 
for control, to define TlAiAjB) to be the subset of Suh_A{Ax B_) consisting of the TT-closed 
relations, in the sense of Pitts ^27j (see also [ll]), as induced by the diagonal relation Ar 
on R. For full details of this construction, the reader is referred to |20j . 

One reason that the model construction outlined above departs from the form of model 
provided by Proposition 13.51 is that, although there is an underlying continuations monad 
j^R^ ' present, the category A is not in general equivalent to the category of algebras for 
this monad. The usefulness of such more general situations is already familiar from Levy's 
work on CBPV [15], where the natural adjunction model of control does not involve the 
Eilenberg-Moore category. One of the strengths of our axiomatic framework is that it is 
able to accommodate such models. 

One of the drawbacks of our framework is that certain convolutions are sometimes 
necessary in order to construct a model satisfying the properties we require. For example, 
in the model of control outlined above (and described fully in [20j), awkward steps are taken 
in order to satisfy properties (Al) and (A2). An arguably preferable approach would be to 
work with the more natural model in which A is simply C°p and U is R^~\ as in [15], even 
though (Al) and (A2) are then violated. This raises the question of whether the awkward 
properties (Al) and (A2) can be weakened. We shall return to this question in Section [HI 
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C[VX B]^ = G n Cl^h{A/x] I V.4,S G C, Vi? G 7ec(^,S). 7^IBlA,[i^/x] (vta, vtb)} 

CIX], = t/(7(X)) 
CIA^B1^ = ^IA]^^^[B1^ 

C[VX. B]^ = {a^ G n CIBl7[A/2C] I G A, VQ G 7^^(A^)• 7^[BU^[Q/^(/^A, acb)} • 

^|B ^ A]^ = ^|A]/I^I^ 

^[VX A]^ = {vr G n-^I^l7[AA] I V^,S G C, Vi? G 7ec(A,i3). 7e[A]A,[fl/x] (vta, vrs)} 
= 7(Z) 

^IVX A]^ = {'^ G n ^IAl^[^/x] I VA^ G A, VQ G 71^(4,^). 7e[AU^[Q/^(KA, k^)} . 
aga 

7^[X]p(xl,X2) /);^(X)(xl,X2) 
7^IB ^ C]p(/i,/2) ^ Vxi G CIB1,,,X2 G CIB],,. 7eiB],(xi, X2) ^ 7^ICl^(/l(xl), /2(x2)) 
7^IVX. B]p(7ri,7r2) ^ V^i,^2 G C,Vi? G nc{A^,A2). ^IBlp[R/x] ((vri)Ai , (vr2UJ 

^Hp(2;1,X2) PR.{X){XI,X2) 

^lA ^ B]p(/ii,/i2) ^ Vxi G CIA]p,,X2 G CMp,. 7eiA]p(:Ei,X2) ^ 7^IB]p(/ll(xl), /i2(x2)) 
T^IVX B]p(Ki,At2) ^ V^i,42 G A,VQ G 7e^(^i,A2). Timp[Q/x]{{>^i)A,,{>^2)A,) ■ 

Figure 3: Interpretation of Types 

4. Interpreting the calculus 

In this section we interpret PE in any parametric model as defined in Section [3l As 
adumbrated there, a value type B will be interpreted as a set CJB] in C, and a computation 
type A will be interpreted as an algebra .4|A]. Since every computation type A is also a 
value type, it is given two interpretations, and we shall ensure that these are related by 
f^(^[A]) = C|A]. In order to incorporate relational parametricity, we shall also give a 
second interpretation of a value type B as an admissible C-relation 7^|B]. In the special 
case of a computation type A, it will hold automatically that 7^|A] is also an admissible 
^-relation. 

Given a set of type variables G, a Q- environment is a function 7 mapping every value- 
type variable X G to an object 7(X) of C, and every computation-type variable X G to 
an object ^{X) of A. A relational Q- environment is a tuple p = {pi, P2, Pii), where: pi,p2 
are 0-environments; for every value- type variable A G 0, 

p,l{X)enc{pi{X),p2{X)) ; 
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and, for every computation- type variable X G Q, 

For each value type B(0) (i.e., type B with ftv(B) C B) and 0-environment 7, we 
define an object C[B]^ of C; and, for each computation type A(B) and 0-environment 7, we 
define an object ^[A]^ of A. Interdependently with the above, for each value type B(0) and 
relational 0-environment p, we define an admissible C-relation 7^[B]p G 7^c(C|B]pj , CfBJpj). 
The definitions are given in Figure [3l In these definitions, the products and powers used 
in the definition of C|B]^ are the ones in C, and those used in the definition of ^[A]^ are 
those in A, as (weakly) created by U. We write for the relational G-environment that 
maps X (resp. X_) to '^■y(x) (resp. A^^^x))- We also use an obvious notation for update of 
environments. The algebras defined by ^[VK A]^ and >4|VX. A]^ are the canonical algebras 
carried by the subsets of the product algebras. 

Proposition 4.1. C[B]^, -^[AJ-y andTZlBJp are well defined by Figure\M Further, for every 
computation type A, it holds that C|A]^ = U{AlAj^) and 7^[A]p G 'Ra{-^IMpi^-^IMp2)- 

Proof. The proof of well definedness is by induction over the structure of types. We focus 
first on showing that the relational interpretation of types defines admissible relations. 
Notice first that the relation TZfE C]p can be rewritten as 

n (ev,,,ev,J-^7e|Clp 

(a;l,X2)G7^[Blp 

where ev^^ denotes the map from TlfB C]p^ to 7?.|C]p^ given by evaluation at xi, and 
evj.2 is defined likewise. For value types B, C it follows that 7^[B C]p is an admissible 
C relation from the induction hypothesis and (R2) and (R3). If C is a computation type, 
B ^ C becomes a computation type and we must check that 7^[B — > C]p is an admissible 

A relation. Since the object ^|B — > CJpj is defined as a product AlCjpr'' in A and the 
evaluation map ev^;^ is the projection, it is a homomorphism. So again 7^[B — > C]p being 
admissible follows from the induction hypothesis and (R2), (R3). The proof of the other 
induction cases are similar. 

To prove well definedness of ^|VX. A]^ notice first that the formula in Figure [3] defines 
an element in Sub^(]^^gQ ^[AJ^j^/^]) since it can be exhibited as the intersection 

n {PA,PB)-'nmA,lR/X] (4.1) 

A,BeC,R&-RciA,B) 

where pa,Pb are the projections from the product Hyiec -^IAItI^i/x]- The projections are 
homomorphisms since the product is taken in the category A and thus, since '7^[A]^^[r/x] is 
an ^-subobject by induction hypothesis, (|4.ip defines an .A-subobject. We define .A|VX. A]^ 
to be the specified A object representing the subset as given by Lemma [33} thus defining 
^|VX. A]^ up to identity and not just up to isomorphism. □ 

We include some basic lemmata about the type interpretation without proof. 

Lemma 4.2. Suppose j is a Q- environment and p is a relational Q environment. 
(1) //B(G,X) and A(G) then 

C[B[A/X]l,=CIBl,[c[A],/x] 
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(2) //B(G,X) andA(e) then 

(3) //B(e,X) andk{Q) then 

^[B[A/X]1^ = ^IBl^[c[Al,/x] 

(4) //B(G,X) andk{Q) then 

Lemma 4.3. For all types A(B) and any @- environment 7 the relations 7^[A]^°p and 
7?,|A]^op are equal, where 7°^ is the environment obtained by composing 7 with the function 

i-r- 

Lemma 4.4 (Identity extension). For any type B(0) and Q-environment 7, it holds that 
7^IB]A, = Ac[B],. 

The above lemmata are all easily proved by induction on types. 

The interpretations of polymorphic types have been defined by taking products over 
the sets C, A respectively, but for the interpretation of terms below, it is crucial that we 
can define projections out these products for every ^4 in C (respectively 5 in A) and not 
just for those objects in the sets C, A. Essentially, we would like to be able to treat these 
polymorphic types as if they had been defined using products over the classes of objects of 
C and A, even though set theory does not allow us to define such large products. It is a 
pleasing fact that restriction to the parametric elements of the products allows us to do just 
that, as the sequence of results from Proposition 14.51 to Lemma [4.101 below establishes. The 
idea essentially goes back to [35] , and was used in [18] to construct a model of parametric 
polymorphism in the sense of fibered category theory. 

To formulate the first result, we define a morphism from 0-environments 7 to another 
7' to be a family f of functions indexed by type variables in B satisfying: for every value- 
type variable X £ Q, the function fx is a function from 'y{X) to ^'{X); and, for every 
computation-type variable X € 0, the function fx is a homomorphism from 7(X) to ^{20- 
Morphisms of ©-environments form a category under pointwise composition, and a ©- 
environment isomorphism is just an isomorphism in this category. Given a 0-environment 
morphism f from 7 to 7', we write (f) for the relational 0-environment with (f)^ = 7, 
and (f)2 = 7' and (f)^(X) = (fx) and (f)7j(^) = (fx)- Also, given a ©-environment, 
7, we write x G 7 for a family of elements indexed by type variables in satisfying: for 
every value-type variable X G @, it holds that xx G li^) and, for every computation-type 
variable X € ©, it holds that xx € U{'y{2Q)- Given a ©-environment morphism f : 7 — > 7' 
and X G 7, we write f(x) for the evident pointwise function application, which is an element 
of 7'. Moreover, given a relational ©-environment p, and elements xi € pi and X2 £ P2, we 
write /9?j(xi,X2) to mean that: for every X G ©, it holds that piz{X){xixt^2x)] and, for 
every X G ©, it holds that pr(X)(x-\ y, X2 y). 

Proposition 4.5 (Groupoid action). For any type C(0), any two Q- environments 7, 7', 
and any Q-environment isomorphism i: 'j ^ 'j' , there exists a unique isomorphism 

gpdICl(i):C[Cl^^C[Cly 
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such that 

nQ(i) = (gpdici(i)) . 

Moreover, if C is a computation type then gpd[C](i) is a homomorphism from ^[C]^ to 

Furthermore, given relational Q- environments p, p' , and given Q-environment isomor- 
phisms h- Pi ^ p'l and 12 : P2 ^ P2/ /o*" xi e pi, X2 G P2; 

/Jij(xi,X2) =^ p^(ii(xi),i2(x2)) , 
then, for all x\ G C|C]pj,X2 G C|C]p2, we have: 

7^[Clp(xl,X2) =^ 7^IClp,(gpdICl(il)(xl),gpd[Cl(i2)(:E2)) . 

Proof. By induction on the structure of the type C. We consider two cases. 

If C is A — > B then the induction hypothesis gives isomorphisms gpd|A](i) : C|A]^ C[A]^/ 
andgpd[Bl(i): ^ C[Bly. Using that 7e [A] = (gpd[Al(i)) and7^[Bl^i) = (gpdIB](i)), 

one calculates that 

7e[A^Bl^i) = (/^gpd[B](i)o/o(gpd[A](i))-i) , 

so we have: 

gpd[A^B](i) = /^gpd[Bl(i)o/o(gpdIA](i))-i , 
which obviously is an isomorphism. Further, C is a computation type just when B is, 
in which case we must show that gpd|A — s- B](i), as defined above, is a homomorphism. 
By definition ^|A B]^/ is a C[A]^/-fold product of ^|B]^/ by itself as taken in A, and 
each evaluation map ev^., for x £ C[A]^/, is a projection. It suffices to show that for each 
X € C|A]^/ the composite ev^, o gpd|A B](i) is a homomorphism. But 

ev, o gpd[A ^ Bl(i)(/) = gpd[Bl(i) o / o (gpdIA](i))-i(x) 

= gpd[Bl(i) o ev(gpd|A](i))-i(x-)(/) 

and gpd[B](i) is a homomorphism by induction hypothesis, and evaluation maps are ho- 
momorphisms because they are projections out of a product taken in A. 

For the second half of the proposition, given isomorphisms ii : pi — > p'^ and 12 : P2 ^ P2 
as in the hypothesis, we must show that if 7^|A B]p(/i,/2) and 7^[A]p/(xi, X2) then 

7^[Blp,(gpd[Bl(il) o /i o (gpd[Al(ii))-i(xi),gpdIBl(i2) o /2 o (gpdIAl(i2))-i(x2)) (4.2) 

Note first that (gpd|A](ii))"i = gpd[A](ii"^) because 

((gpd[Al(ii))-i) = (gpd[Al(ii))°P 

= (gpd[Al(ir')) 

where we have used Lemma [4.31 Similarly (gpd|A](i2))^"'^ = gpd[A](i2~"'^). So by the 
induction hypothesis, under the assumptions stated above 

7^IA],((gpd[Al(il))-l(xl),(gpdIAl(i2))-l(x2)) 

and so also 

^IBlp(/i o (gpd[A](ii))-i(xi),/2 o (gpd[Al(i2))-i(x2)) 
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from which we conclude (14.21) by a second application of the induction hypothesis. 
We define gpd[VX. B](i) by the formula 

(gpd[VX. B](i)(K)U = gpdIB](i[idA/X])(Ac^) . 

to see that this is well defined we must show that if ^4, C € A and Q G T^a{A^Q then 

7^IBlA^,[Q/x](gpd[Bl(i[idA/X])(A^^),gpdIB](i[idc/X])(A^c)) . (4.3) 

But since ^IB]a^[q/x]('^a, 'tc) and since the pair (i[id^, i[idcj) maps pairs related in 
IS.^\QIX] to pairs related in IS.^i[Q/X\ the induction hypothesis implies (j4.3p . 

To show 7^|VX. B](i) = (gpd|VX. B](i)), first suppose that 7^[VX. BJ^;) ^2). Then 
^IB](i[idA/x])(('^i)A' ('^2)^) for all A and so by induction hypothesis ('^2)71) is in 

(gpd[B](i[idA/:X|])) which implies gpd|VX. B](i)(Ki) = ^2- Suppose on the other hand that 
gpd|VX. B1(T)(ki) = K2. Then 

7^IBlA,,[Q/X]((gPd[VX. Bl(i)(A.i))A, (ac2)c) 

for all A,C_^ A and Q G lZj({A,C), i.e., 

^IBlA,,[Q/^(gpdIBl(i[id^/X])((KiU), (k2)c) . (4.4) 

The pair (i"-^ [idr: / X] , id^' [id_4 / X] ) maps pairs related in Ay [Q/X] to pairs related in 
{\)[Q/X], and so by induction hypothesis, the pair (gpd|B](i^^ [id^/^]), gpd|B](idy [id^/^])) 
maps pairs related in T^^BJ^y [q/x] to pairs related in 7^|B]^i^[Q/^]. As above, one can show 
that 

gpdIB](i-i[idA/A]) = (gpd[B](i[id^/A]))-i 
and using Lemma also gpd|B](idy [id^/A]) = idc[B]y[^/_,f] and so by (j4.4p we conclude 

^I^l(i)[Q/2£](('«ik'('*2)c) • 

Since this holds for all A,C_e A and Q G 1Za{A^Q) this implies 7^[VA. BJ^;) (ki, AC2). In 
conclusion we have shown 7^[VA. B]^;^ = (gpd|VA. B](i)). 

The type VA. B is a computation type exactly when B is, and in this case we must 
show that gpd[VA. B](i) is a homomorphism. Similarly to the case of function spaces, 
since ^[VA. B]^/ is constructed as a limit in A it suffices to show that each composite 
PA ° gpd[VA. B](i) is a homomorphism, where pA is the projection defined as pa('^) = k-a- 
Since 

PAOgpd[VA. Bl(i)(K) = gpd|B](i[idA/A])(A^^) 

= gpd[B](i[idA/A])op^(K) 

this follows by the induction hypothesis. 

For the last part of the proposition, suppose the pair (ii, 12) maps pairs related in p to 
pairs related in /?', and suppose TZfiX. BJp{Ki, K2). We must show that 

^[VA. Bl,,(gpd[VA. Bl(ii)(Ki),gpdIVA. Bj{h){K2)) , 

i.e., we must show that for any ^4, C G A, Q G 'R-AiAiQ.) 

^IBlp'[Q/x](gpdIBl(ii[idA/A])((Ki)^),gpd[Bl(i2[idc/A])((^2)c;)) • 

Since the pair (ii [id^ /A], i^[idr7/A]) maps pairs related in p[Q/X] to pairs related in 
p'[Q/X] this follows from the induction hypothesis. □ 
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Corollary 4.6. The mapping of isomorphisms between Q- environments, i, to gpd[C](i) is 
functorial. 

Proof. Preservation of identities is Lemma 14. 4i For preservation of composition, suppose 
i: /o^p'andj: p' ^ p" ■ If(i)(x,y) then (joi)(x, j(y)) so by PropositionH^l if 7^|C](i) (x, y) 
then 7^[C](joi)(J;,gpd|C](j)(y)). Since 7^|Cl(i) (x, gpd[C](i)(x)), we conclude 

7^[Cl<joi)(x,gpd[Cl(j)ogpd[C](i)(x)) 

for ah X, i.e., gpd[C](j) o gpd[C](i) = gpd|C](j o i) as desired. □ 

Corollary 4.7. For any type B{Q,X), relational Q-environment p, any relation R in 
TZc{A, C), and any pair of isomorphisms i: A' ^ A, j : C' ^ C 

^IBlp[(.,,)-«/^] = (gpd[Bl(idpJf/X]),gpd[Bl(idpJJ7X]))-l7^[Bl,[^/^] . 

Similarly for any type B(0,X), relational Q-environment p, any relation R G Ti-AiA^Q} 
and any pair of isomorphisms i-A^—°A,j:C_'^C_ 

nmp[i^,Jr'R/x] = (gpd[Bl(idp,[V^]),gpd[Bl(id,Ji/X]))-i7e[Bl,[^y^ . 

Proof. We just prove the first part. Since the pair {i,j) maps pairs related in {i,j)^^R to 
pairs related in R, by Proposition 14.51 the pair (gpd[B](idpJi/X]), gpd[B](idp2 b/-'^])) maps 
pairs related in 7^|B]^j^^ ^.^-i^y^j to pairs related in "/^[BJpj^/x] • This means that 

n^iUjr'R/x] ^ (gpdIBl(idpJi/X]),gpdIB](idp,[J7X]))-l7^IBl,[«/x] . (4.5) 
Since R = {i^^,j^^) ^{i,j)^^R we can apply the above to the pair {i^^,j^^) and obtain 

^IBlp[ii/x] C(gpd[Bl(idpJrVx]),gpd[Bl(idp,b-V^]))"VlB]^[(^_^.)-i^/^] 
from which we conclude 

(gpdIB](idp,[i/x]),gpd[Bl(idp,[J7x]))-l7^IB],[^/^] c nMp[i^,Jr^R/x] ■ (4-6) 

The corollary is now the collected statement of ()4.5p and (j4.6p . □ 

Now, for any set ^ in C, let C G C be such that C = ^ by way of the isomorphism 
i: C ^ A. Using the groupoid action defined above, we have gpd[B](id^[i/X])(7r(7) € 
C|B]^[^/x]. Similarly, for any algebra A in A, let C S A be such that C_=° A by way of 
j:C^A. Then we have gpd|B](id^[j7X])(Kc) e CIB}^ia/x]- 

Lemma 4.8. For tt e C[VX. B]^ and A in C: 

(1) The value gpd|B](id^[i/X])(7rc) is independent of the choice of C and i. 

(2) IfAeC then gpd[Bl(id^[i/X])(7rc) = vr^. 
Similarly, for k e C|VX. B]^ and AgA: 

(3) The value gpd|B](id^[j7^])('^c) is independent of the choice of C_ and j. 

(4) If A G A then gpdIB](id^[j7xT)(Kc;) = ^A- 

Proof. We prove 1. Suppose i: C A,i': C — > A are isomorphisms. We must show 
that gpd|B](id^[i/X])(7rc) = gpd[B](id^[«7X])(7rc')- By the parametricity condition in 
the definition of C|VX. B]^, ClB}^_^^(^^,-i^^yj^^{TTc,'^C'), which means that 

{gpdlBj{idJi'-' oi/X])){7rc,7rc') . 
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Now by definition of grapli relations and functoriality of the groupoid action this implies 

gpd[B](id^[VX])(vrc) = gpdIB](id^[i7X])(7rc;0 

as desired. Item 2 is an immediate consequence: use the identity on A for i. □ 

The above lemma justifies introducing the following very useful notation. Given vr in 
C|VX.B]^, then, for any A in C, we write ir{A) for gpd[B](id^[i/X])(7rc), where i: C ^ ^4 is 
an isomorphism and C £ C. Similarly, given k G C|VX. B]^, then, for any ^ G we write 
k{A) for gpd[B](id^[j/X])(Kc7), where j : C — o ^4 is an isomorphism and C_€ A. The above 
notation defines the required projections exhibiting vr and n as elements of large products 
indexed by the objects of C and A respectively. The lemma below shows that the tuples vr 
and K remain parametric when considered as elements of the large products, i.e., that the 
derived projections preserve relations 

Lemma 4.9. 

(1) IfTZf^X. B]p(7r,7r') then, for all sets A,C in C and relations R € TZc{A,C), it holds 
thatnlB}p[n/xMA),n'{C)). 

(2) If 7^|VX. B]p (k, k') then, for all algebras A,C_ in A and relations Q G 'R-AiAjQ}, it 
holds that niB}p^Q/x]{K{A),K,'{C)). 

Proof. We just prove item 1 of the lemma, item 2 is proved similarly. Suppose we are 
given sets A,C in C and a relation R £ TZc{A,C). Then we know that there exists sets 
A',C' G C and isomorphisms i: A' ^ A, j : C ^ C. By definition, if TZlVX. B]p(7r,7r') 
then T^l^jpi(^ijy->-R/x] (tta',?!"^/) and so by Corollary O 

(gpdIB](id,JV^]),gpdIBl(id,JJ7X]))-l7^IBl,[^/^] (tt^stt^O . 

So {7r{A),7r'{C)) = (gpdIBl(id,, [r VX])(7r^0, gpdIBl(id,, [j-i/XD^^,)) are in 7^[Bl,[«/^] . 

□ 

Lemma 4.10. For any computation type B{Q,X), any Q environment 7 and any A in 
C the projection pA '■ AfiX. B]^ •Ai^'y[A/X] mapping k to n{A) is a homomorphism. 
Similarly for any B(0, X) and any A e A the projection pA- -4.[VX. B]^ -^l^ilA/K] ^"^ 
homomorphism. 

Proof. Note first that for ^ in C, the projection p^ is a homomorphism since ^[VX. Bj^ 
is defined as a representative of an yl-subobject of a C indexed >l-product and pA is the 
inclusion of the subobject followed by the projection. In general, PAi^) is defined to be 

gpdIB](id^[i/X])(p^,(K)) 

for any A' G C, and isomorphism i: A' ^ A. Since by Proposition 14.51 gpd|.B](id-^,[z/X]) 
is a homomorphism, we see that pA is a composition of homomorphisms and so itself a 
homomorphism. The second half of the lemma is proved similarly. □ 

%n the conference version of this paper [19], we saved space by using fictitious large products in the 
definition of the interpretation of polymorphic types. Here, by giving the honest definition, and deriving the 
required consequences, we are providing the missing technical justification for the use of large products in 
op. cit. 
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[Ax: B. tj^ = [A°x: A. t}^ = {d: €{8}^ ^ 

mi, = bUlth) 

{AX. tl = mj[A/x]}Aec 
p[: VX B](A)l^ = (It]^)(CIAy 
[AX. tl = {ltl[A/2Q}AeA 
VX. B](A)]^ = (It]^)(^IAy 

Figure 4: Interpretation of Terms 

Next, we define the interpretation of terms. Given a context T with all free type 
variables in Q, a O-F-environment is a function defined on both the type variables in 
and the term variables in F, such that the restriction of 7 to B is a 0-environment, and, 
for every type assigment x: B in F, it holds that j{x) E C[B]^. A term F | A he t : B (i.e., 
such that ftv(F,A,t, B) C 0) is interpreted as an element |t]-y € C[B]^, relative to any 
0-(F, A)-environment 7. The definition of is given in Figure [H In the two clauses that 
apply to t(A), we distinguish between the cases for t of type VX. B and VX. B. Note that 
the definition of [s(t)]7 applies uniformly, whether s has type B ^ C or A ^ B. 

Proposition 4.11. // F [ A he t : B then: 

(1) (Well-definedness) For any Q-{T, A) -environment 7, the value {tj-y £ CIB]^ is well 
defined. 

(2) (Relational invariance) For any relational Q- environment p, and B-(F, /\)- environments 
71 , 72 extending pi , p2 respectively, define 

7^[Flp(7l, 72) ^ Vx: A G (F, A). 7eiA],(7i(x), 72(x)). 
Then 7^[Flp(7l,72) implies 7^[B]p(|^l7, , [tJ^J. 
// F I X : A he t : B then: 

(3) (Homomorphism property) For any Q-T- environment 7, the function d € CIA]^ 1— 
M7[d/x] ^-5 a homomorphism from ^lAJ^, to ^IBJ^,. 

Proof (sketch). The three statements of the proposition are proved simultaneously by struc- 
tural induction on t. Most of the cases are standard and we just show a few. 

We prove the homomorphism property in the case of application of a polymorphic term 
t : VX. ^ to a value type A. By definition 

and so by the induction hypothesis and Lemma [4.101 d 1— > [t(A)]^[^/^.] is a composition of 
homomor phisms . 

The homomorphism property in the case of function application t{s) for t: B ^ C 
follows from well definedness: by induction hypothesis [tj^, G C|B ^ CJ^, and so is a homo- 
morphism, so if d G CfAJ^ I— > [s]^[(i/2,.] is a homomorphism so is d G CfAJ^, Iti-yilsJ-yld/x])- 
Likewise well definedness in the case of linear lambda abstraction: A°x : A. t follows from the 
homomorphism property for t. 

We show well definedness in one of the cases of polymorphic lambda abstraction: 
AX. t: VX. B. Here we must show that {I[i]7[y4/A:]}Agc satisfies the parametricity condition 
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in the definition of C|VX. B]^: for all A, B e C and all relations R € Tlc{A, B), 

^1^1 A^[K/X] (M7[A/X] , ¥\-i[B/X] ) 

This follows from the relational invariance property for t, as assumed in the induction hy- 
pothesis, since "T^PJat-ITiT) holds by the identity extension lemma. Likewise, the relational 
invariance property in the case of type application of polymorphic terms follows from well 
definedness using Lemma 14.91 

To show relational invariance in case of polymorphic application at computation types 
t(A) we may use the induction hypothesis 

WX. Blp(W^,,[tl^J. 

From Lemma 14.91 it follows that 
Finally, Lemma 14.21 implies 

as desired. □ 

Our main application of the model will be to establish semantic equalities between 
terms. Henceforth, for F | A h s: B and F jA h t: B, we write F|AI-s = t:Bto mean 
that = \t\^ for all appropriate 7. For a syntactic equality theory we refer to [2T| . 

5. Monadic types 

In this section, we study the encoding of monadic types ! B in our calculus, as defined 
by equation (jl.ip of Section [TJ One sees immediately that ! B is always a computation type. 
We show that it enjoys the following derived introduction and elimination rules. 

r|-ht:B r|Aht:!B F,a;:B|-hn:A 

F I - h ! t : ! B F I A h let ! X be i in u : A 

Indeed, for this simply define: 

!i =def AX. Xp:B ^ X.p{t) 

let!xbetinu =def t(A)(Ax:B.u) . 

It is the above rules that motivate our notation for the ! type constructor, since these are 
simply restrictions of the usual rules for the exponential ! of intuitionistic linear logic; for 
example, as formulated in Plotkin and Barber's DILL [2j. 

As a first application of relational parametricity for our system, we show that ! B has 
the correct universal property for Moggi's monadic type. To keep the semantic notation 
bearable, we frequently omit semantic brackets, treating syntactic objects as the semantic 
elements they define, and we freely mix syntactic expressions with semantic values. For 
example, given any set A in C, we simply write \A rather than C|! or .4,|! 
referring to \A as a set or as an algebra respectively when disambiguation is needed. 

Lemma 5.1. 

(1) //F |- h t: B and F, x: B | - h u: A then F | - h let ! x be ! t in it = u[t/x\: A. 

(2) F I y : ! A h y = let !x be ?/ in !x : ! A . 
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(3) Suppose that r|A hs:!A, r,x:A| - ^ t: ^ and T \ y:E h u: C, then T | A h 
let !x be s in = ti[let !x be s in t / y] : C . 

Proof. Item [1] is a straightforward consequence of the semantic vahdity of beta equahty. 

For El we must show that y = y(!A)(Ax: A. \x) at type MX. (A ^ X) ^ X_. By 
evident extensionahty properties of the model, it suffices to show that, for any algebra _B 
and / : A ^ UBin C, we have = y{\ A){Xx: A. I x){B){f). 

Consider the homomorphism g'- \A ^ B_ defined by g{z) = z{B_)(f). Then (g) is in 
So, by parametricity, 

((AA-(5))-(5))(2/(!A),y(^)) . (5.1) 

For any x G A, we have g{lx) = {AJ£. Xp- p{x)){B_){f) = f{x), i.e., 

(Aa^(5))(Ax:A.!x, /) . (5.2) 

Combining (jS.ip and (j5.2p . we obtain that 

(5)(y(!A)(Ax:A.!x), y(S)(/)) , 

i.e., fi((y(! A)(Ax: A. \x)) = y{B){f)- Thus it indeed holds that 

yi}.A){\x:A.\x)[B)U) = y{B)U)- 
For[3l h = X'y.B. u: B ^ C is a homomorphism, so {h) € 7^^(6,0). By parametricity, 
we have that 

((Aa ^ (/i)) - (M) (s(B), .(C)) . (5.3) 
Consider \x: A. t: A — > B and Ax: A. A ^ C. Then, for x G A, it holds that 

h{{Xx:A. t){x)) = u[t/y] = (Ax: A. u[t/y]){x), i.e., 

(Aa ^ (/i)) (Ax: A. t. Ax: A. M[t/y]) . (5.4) 

Combining (j5.3p and (j5.4p . we obtain that 

{h) (s(B)(Ax:A.t), s(C)(Ax:A.^/[t/y])) , 

i.e., /i(s(B)(Ax: A. t)) = s(C)(Ax: A. u[t/y]). So indeed we have n[let !x be s in t / y] = 
/i(s(B)(Ax: A. t)) = s(C)(Ax: A. u[t/y]) = let !x be s in □ 

Lemma 15.11 can be formulated as the two equality rules for the monadic type let con- 
structor. 

r|-ht:B r,x:B|-Ku:A r|Ahs:!A r|y:!Ah'u:C 

r I — h let ! X be ! t in u = u[t/x] : A F | A h let !x be s in u[\x/y] = u[s / y]- C 

It is not hard to show that the two rules above are equivalent to the three items of Lemma [5. II 
and we leave this straightforward exercise. 

For any set A in C define r]A- A ^ \A hy rj^ = Ax. !x. 

Theorem 5.2. The function tja - A ^ \A presents \A as the free algebra over A, i.e., for 
any algebra S and function f : A ^ UB_, there exists a unique homomorphism h: \A ^ B_ 
such that h o rjA = f ■ Indeed, h is given by A°y. let !x be y in /(x). 
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Proof. Clearly A°y.let!a;bey in/(x) is a homomorphism, and (A°y.let !xbe?/ mf{x))or]A = f 
because let \x be Ix in f{x) = f{x) by Lemma [5.1 Hi For uniqueness, suppose h is such that 
h o rjA = f ■ Then 

h{y) = /i(let ! a; be y in !x) (Lemma I5.1l2p 

= let ! X be y in (Lemma 15. Il3p 

= let !x bey in/(a;) (h o rjA = f) , 

as required. □ 

It follows from the above theorem that the operation mapping A to the algebra lA is 
the object part of a functor F: C ^ A left adjoint to U. We write T for the associated 
monad UF on C. 

The bijective correspondence of Theorem 15.21 can be expressed in the type theory PE 
as an isomorphism of (value) types between !A ^ B and A — > B given by terms 

A/:A^ B. A°z:!A. let!xbezin/(x): (A ^ B) ^ !A ^ B 

Xg:lA^B.Xx:/K.g{'nA{x)): (!A ^ B) ^ A ^ B . 

Thus we have a Girard decomposition of function spaces with computation type codomains, 
further motivating the ! notation. 

We end this section with three characterisations of the induced relational lifting of the 
! type constructor. 

Proposition 5.3. Suppose A,B are objects of C and R E TZc{A,B) is a relation. 

(1) ! i? € TZ_aO a, ! B) is the smallest admissible A-relation containing all pairs of the form 
{r]{x),r]{y)) for {x,y) G R. 

(2) ! R is the smallest admissible relation containing the image of the map TR TA x TB 
obtained by applying the functor T to the span corresponding to R. 

(3) If A,B (£ A, R £ nc{A,B), Q G 7^^(A^) and f : \A A,g: IB B, then 
{\R^Q){f,g) tff{R^Q){forjA,govB)- 

Proof. For item [1] we first show that if (x, y) G R then {r]Aix), t]B{y)) G ! i?. So suppose we 
are given A,B e A and Q G TZAiAW- We must show that if /: ^ ^ UA,g: B UB 
satisfy {R — > Q){f,g) then Q{'r]A{x){A){f),r]B{y){B_){9))- But this follows from definition 
of {R ^ Q) since (??a(x)(A)(/), r/B(y)(S)(g) = (/(x),5(y)). 

Now, suppose Q G TZaO A,] B) and for all (x,y) G i? we have Q{riA{x),rjB{y)), or in 
other words {R — > Q){r]A,VB)- We must show that !i? C Q. So suppose \R{z,z'). By 
definition of ! R using {R Q)ir]A, Vb) we have 

Q{z{\A){r^A),z'{lB){rjB)). 

But by definition z{\ A){riA) = let ! x be 2; in ! x which by Lemma [5T] is equal to z. Likewise 
z'{\B){rjB) = z' proving Q{z,z'). 

For the proof of item[2]we use the notation im(ri?)° for the smallest admissible relation 
containing the image of the map obtained by applying T to the span corresponding to R. 
Since {R — > im{TR)°)(r]A,'r]B), by item [T] the relation ]R is contained in im{TR)°. For the 
other inclusion notice that since {R ! R){riA,rjB), naturality of the correspondence given 
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(X0ftv(A,B)) 

(X0ftv(A,B)) 
(X0ftv(B,A)) 
(y^ftv(A)) 
(y^ftv(A)) 
(X +ve in A) 
(X +ve in A) 

Figure 5: Definable computation types 

by Theorem 15.21 implies the existence of a map h making the diagram 

Ttti Ttto 
TAo — TR ^ TB 

h 

o 

TA o ! R o TB 

commute. This proves im{TR) C ] R. Since IR is admissible im(TR)° must be contained 
in \R. 

For item [3] the "only if direction is simply because {R \ R){r]A,f]B)- On the other 
hand, if {R Q){f ° VA,9 ° Vb) then {f,g)~ Q is an admissible relation containing all 
elements of the form {r]A(x),rjB{y)) for which R{x,y) hold, and so by item [1] must contain 
!i?proving (!i?^Q)(/,g). □ 



r 

A x° B 

0° 

Ae B 

B- A 

3°X.A 
3°X.A 



=dcf yx.o^x 

=dcf yX. {(A^X) + (B^X)) ^ X 
=dcf VX. X 

=dcf VX. (A^X) ^ (B^X) ^ X 
=def VX. (B ^ A ^ X) ^ X 

=dcf vy. (VX. (A ^ y)) ^ y 
=dcf vy. (VX. (A ^ y)) ^ y 



.(B- 
.X)- 
Z)) 
'Y)) 

lj,°X. A =def VX. (A ^ X) ^ X 
u°X. A =def 3°X. (X ^ A) • X 



6. Definable computation types 

The monadic type constructor ! is just one example of a type constructor definable 
using parametric polymorphism. In Figure [2] we have seen a collection of type constructors 
on value types and Figure [5] presents a collection of type constructors on computation types. 
The latter should be viewed as well chosen variants of Plotkin's polymorphic type encodings 
in second-order intuitionistic linear type theory, cf. [281 [Sj Sj. (For relations between this 
calculus and PE see Section [8]). We briefly discuss the computation type encodings. 

Semantically, because U: A ^ C weakly creates limits, algebras are closed under prod- 
ucts in C. Syntactically, however, the types 1 and A x B from Figure [2] are not computation 
types. Thus the alternative encodings 1° and A x° ^ are needed to obtain products of 
computation types as computation types. The types 0° and A © ^ from Figure [5] define 
respectively an initial object and binary coproduct in the category A. This structure in 
not preserved by U, and coproducts of algebras behave very differently from coproducts 
of sets in C. (The latter are implemented by the sum types in Figure [2j) The type B- A 
defines a C|B]-fold copower of ^[A] in A. Figure [5] also contains: existential types, 3°X. A 
and 3°X. A, packaged up as computation types; inductive computation types, IJ-°2L-^] ^-nd 
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coinductive computation types, z^°X. A. As is standard, the (co)inductive types rely on the 
functoriality of type expressions in their positive arguments. A special case of the inductive 
types is the isomorphism 

A ^° VX. (A ^ X) ^ X 

valid for all computation types A in which X does not occur free. It is a consequence of 
relational parametricity that the above types all enjoy the correct universal properties. The 
arguments are carried out most naturally using a suitable logic for relational parametricity 
in PE, see [21]. 

7. Specialising the calculus to specific effects 

The type theory PE is a generic calculus for effects since the type ! B can be interpreted 
as an arbitrary monad, and no further effect-specific features are included. In this regard, 
PE is analogous to Moggi's computational A-calculus [22], computational metalanguage [23] 
and Levy's call-by-push- value [15]. As with those calculi, specific effects can be incorporated 
by specialising the calculus appropriately. Typically, such specialisation takes place by 
extending the basic calculus with appropriately typed constants for any desired operations 
on effects. The addition of such constants takes place within the semantic theory described 
thus far, and so does not affect the validity of the results we have presented. For example, 
the universal properties of the defined types, discussed in Sections [5] and [6] (and treated in 
more detail in [21]), are unaltered. 

In this section we consider various specialisations of the basic calculus, emphasising, in 
particular, the interaction with parametricity. 

In a recent programme of research [31] . Plotkin and Power have shown that many 
monads of computational interest can be profitably viewed as free algebra constructions for 
equational theories. This approach arises naturally from a computational viewpoint: the 
"algebraic operations" used to specify the theory correspond to programming primitives that 
cause effects, and the equational theory simply expresses natural behavioural equivalences 
between such primitives. We begin this section with an analysis of how to specialise PE to 
the case of such "algebraic effects" . 

Our approach is justified by a general theorem, which we now present. As one of 
their central results about algebraic effects, Plotkin and Power establish a one-to-one cor- 
respondence between "algebraic operations" and "generic effects" |30j . The theorem below 
reformulates this correspondence in our setting, and adds a third equivalent induced by our 
polymorphic description of monadic types. We shall apply this third equivalent to obtain 
the correct polymorphic typing for algebraic operations in effect-specific specialisations of 
PE. 

Theorem 7.1. For any set A in C, there are one-to-one correspondences between: 

(1) "algebraic operations of arity A", i.e., natural transformations from the functor 
{U{-))^: A^C toU, 

(2) "generic effects over A", i.e., elements ofTA, and 

(3) "polymorphic computation type operations of arity A", that is, elements of the type 
VX. ^ X) ^ X. 

The simplifications in the formulation of statement [1] above, compared with [30], are due 
to our set-theoretic setting, which renders it unnecessary to consider issues relating to 
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enrichment or tensorial strength. Also note that, by statement [21 the other two statements, 
in spite of appearances, depend only on the monad T on C, not on how it is resolved into 
an adjunction F -\U : A ^ C. 

Proof. The equivalence of statements [2] and [3] is immediate from (jl.ip . because TA = \A. 
So we establish the equivalence of [1] and [3j Suppose that ^ is a natural transformation 
from {U{—))'^ to U. We show that the mapping A e A \f : A ^ UA. OaU) is an 
element of VX. {A ^ JQ ^ X. Suppose A,B_e A and Q € TZa{AB_)- We must show that 
if (A^ — > Q) {f,g) then also ^M^))- Since Q is an ^ relation there exists a span 

A^C_^B_mA projected by U to UA ^ Q ^ UB_, and so by naturality the two squares 
below commute. 



[UAY 



Oc 



Ob 



UA 



Q 



UB 



VTi 7r2 

But this says that, for any /, g with Q{f{x),g{x)) for all xGA,it holds that Q{PA{f)-,&B_{g))i 
which is what we needed to show. For the converse direction, suppose k is an element of 
\/X_. [A X) — > X. Then OaU) = K{A){f) is the corresponding algebraic operation. Ver- 
ifying naturality is a routine use of graphs of homorphisms: if g- B_—o C_ and f ■ A ^ B_ 
then by parametricity 

i{AA^{g))^{g)){KiB),KiC)), 
so since (A^ ^ {g))if,g o /), also {g){K{B){f), '^{C){g o /)), i.e., ^(M/)) = ^c{g o f) 
proving naturality. It is obvious that the two constructions are mutually inverse. □ 

To illustrate how Theorem 17.11 informs the specialisation of PE to algebraic effects, 
we consider nondeterminism as a typical example. As in [31], nondeterministic choice is 
naturally formulated using a binary operation "or" satisfying the semilattice equations: 

xoix = x, xory = yorx, x or (y or z) = (x or y) or z . 

Define the category And of "nondeterministic algebras" to have, as objects, structures 
{A, oia) where A is a set in C and or^ : A x A ^ A satisfies the semilattice equations, 
and, as morphisms from (^,or^) to {B,oib), functions from A to B that are homomor- 
phisms with respect to the "or" operations. It is easily verified that the obvious forgetful 
functor U : And C satisfies conditions (A1)-(A4). 

Since the morphisms in And are homomorphisms, the operation mapping any nonde- 
terministic algebra (A, ota) to the function or^^ : ^ A is an algebraic operation of arity 
2 in the sense of statement [J of Theorem 17.11 Thus, applying Theorem 17.11 and currying, 
one obtains a corresponding polymorphic operation: 

or : yX. X-^ X . 

Accordingly, nondeterministic choice can be incorporated in PE by adding a constant " or" , 
typed as above, to the type theory. This example illustrates the general pattern for adding 
algebraic operations as polymorphic constants to our type theory, and readily adapts to the 
algebraic operations associated with other algebraic effects. 
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A limitation of the notion of algebraic operation is that there exist effect-specific pro- 
gramming primitives that are not algebraic operations. One well-known example of such 
a primitive is exception handling. Below, we show how exception handling may also be 
incorporated within our approach as a suitably typed polymorphic constant. The approach 
is justified by a general theorem, giving another instance of a coincidence between natural 
transformations and elements of polymorphic type. 

Theorem 7.2. For any n G N, there are one-to-one correspondences between: 

(1) Natural transformations from ))" : C ^ A to F : C ^ A, and 

(2) elements of^X. (n ^ \X) \X , 

where, in statement\^ we write n for the n-fold coproduct type 1 + • • • -|- 1, as defined in 
Figure [B 

Proof. An element of VX. (n — > ! X) — o ! X gives for each A € C a map (FA)^ — o FA, and 
the naturality square for this family follows from the parametricity condition satisfied by 
elements of polymorphic type, applied to the graph of a function. The interesting part of 
this proof is to show that natural transformations satisfy the parametricity condition and 
thus define elements of VX. (n ! X) — o ! X. 

So suppose {fA '■ (FA)"^ — o FA)a^c is a natural transformation, and A,B & C and 
R G TZc{A,B). We must show that \R){fA,fB)- Naturality applied to the span 

A <— R ^ B gives us commutativity of 



fB 



fn 



fs 



FA o FR FB 

Since f^ and fs are homomorphisms, this implies 

(im((Ti?)")° ^ im{TRr){UfA,UfB) 

Now, one can easily check that im((ri?)")° = (im(ri?)°)" and so ((! i?)" -o ! R){UfA, Ufs) 
by Proposition 15.31 as desired. □ 

We now consider exception handling in detail. We assume we have a set E of exceptions 
with decidable equality (i.e., for all e,e' € E either e = e' or e 7^ e'). We also assume (for 
simplicity) that C is closed under binary coproduct in Set (this is consistent with the 
axioms for C). We define the category ^exc of "exception algebras" to have, as objects, 
structures (^, {raise^}eg£;) where raise^ € A, and, as morphisms from (A, {raise^}ee_B) 
to (I?, {raise^}eg£;), functions from ^ to -B that map each raise^ to raise^. Since the 
raise*^ elements are algebraic constants (operations of arity 0), they can be added to PE as 
constants: 

raise'^ : VX. X . 

As is standard, the forgetful functor from ^exc to C, has as its left adjoint the functor F 
mapping A to the exception algebra {A + E, {mr{e)}e£E)- For an exception e £ E, the 
handling operation over A is the function handle^ : {F{A))'^ — > F(A) defined by 

p if p 7^ inr(e) 



handle^ (p, q) 



q if p = inr(e) 
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It is easily shown that this specifies a natural transformation from the functor ))^ : C — > 
Aexc to F: C — s- ^cxc- In particular, the component handle^ of the natural transformation 
does lie in Aexc because the interpretation of raise*^ in the exception algebra F{A)'^ is the 
pair (inr(e), inr(e)). Thus, by Theorem 17.21 exception handling can be incorporated in PE 
by adding typed constants: 

handle'^ : VX. (2 ^ IX) IX . 

The main surprise with this typing is that exception handling is given a "linear" type. 
From this typing, one of course obtains an associated term of the less informative type 
yX. (2 — > \X) — > \X , which is isomorphic to the expected type VX. !X — >• !X ^ \X. 

Paul Levy (personal communication) has pointed out that the above account of ex- 
ception handling is not robust, in the sense that, in the presence of effects other than 
exceptions, the linear typing of handle^ above is not always correct. In situations in which 
handling is non-linear, one would expect the non-linear typing WX. \X ^ \X ^ \X to still 
be correct. However, Theorem 17.21 is no longer applicable to establish parametricity. It 
would thus be interesting to find a general argument, valid in the presence of other effects, 
for the parametricity of handling. 

Both Theorems 17.11 and 17.21 relate elements of certain polymorphic types with natu- 
ral transformations between associated functors. In fact, more generally, for types that 
determine functors, parametricity implies naturality (cf. [29]). However, the exact cor- 
respondences between natural transformations and parametric elements established above 
depend crucially on the precise forms of types considered there. 

The forms of n-ary operation considered in this section by no means exhaust the col- 
lection of operations of interest from an effects perspective. Control operators provide a 
particularly interesting class of examples that do not fit into this format. We briefly discuss 
how PE can be specialised to control at the end of Section [8l 

8. Relation to other systems 

Several computational effects of interest, including nontermination, nondeterminism, 
and probabilistic choice, give rise to monads on C that are commutative, cf. [23]. The col- 
lection of models of PE in which A is the category of algebras for a commutative monad 
T is of special interest since, for such monads, the set of homomorphisms A^B_ between 
algebras A,B^ carries a canonical algebra structure which provides a closed structure on 
the category A. For such models, it is thus natural to modify our type system by in- 
cluding A ^ B as a computation type. Making this adjustment, one obtains second-order 
intuitionistic linear type theory as the fragment of computation types: 

X|A^B|A^B[VX.A . (8.1) 

Thus we obtain a rich collection of models for the type theory proposed by Plotkin as a 
foundation for combining polymorphism and recursion [28| . 

A simple application of the polymorphic encodings in Figures [2] and [5] is to translate 
Levy's CBPV calculus |15] into PE. For this, coproducts and products of value types are 
translated using + and x from Figure [21 products of computation types are translated using 
x° from Figure \5\ Levy's F constructor is translated using ! , and U is simply ignored. 

One of the properties of Levy's CBPV calculus is that its adjunction models [16] are not 
required to satisfy any properties analogous to our conditions (Al) and (A2). In Sections [3] 
and m we exploited (Al) to satisfy the requirement that ?7(^|A]) = C[A], and (A2) to 
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obtain that relations in A can be viewed as special relations in C (cf. Lemma l3.2p . which 
is crucial in interpreting 7^[A] as an admissible ^-relation. We comment, however, that 
it is possible to generalise om' account of relational parametricity to models in which (Al) 
is weakened to the requirement that A be small-complete and U preserve limits (which 
always holds in Levy's models since [/ is a right adjoint), and in which condition (A2) is 
dropped altogether. For such models, condition (Al) can then be engineered by changing 
A to an equivalent category, and adjusting U accordingly, as in [20]; or, more naturally, the 
semantics can be adjusted, rather than the category, so as to obtain a specified isomorphism 
t^(^[A]) = C|A], instead of an equality. Dropping condition (A2) causes a more significant 
complication. In its absence, it seems necessary to define a special relational semantics for 
computation types, rather than inheriting the relational semantics for computation types 
from that for value types (as done in Section[3|). Moreover, while such an approach is natural, 
it does make the semantic definitions significantly more complicated. In this paper, we have 
chosen to assume properties (Al) and (A2), since we value the convenience of simplified 
semantic definitions (which are anyway complicated enough as they are!) over the added 
generality of having a wider class of models. 

Finally, we mention how the interesting case of control operators can be accommodated 
within PE. This cannot be achieved by following the general methods of Section [71 since 
the continuations monad R^^ ^ does not arise naturally as the free algebra for an algebraic 
theory, and the control primitives associated with continuations are not algebraic operations. 
Nevertheless, it turns out that PE can be usefully specialised to the case of control by adding 
a polymorphic constant of type (using the defined type 0° from Figure [5]): 

VX. {{X 0°) ^0°) ^ X , 

acting as a pointwise inverse to the canonical element of type VX. X {{X_ 0°) 0°). 
The resulting theory is studied in detail in a companion article [20] , where it is shown that 
Hasegawa's results on polymorphic definability in the second-order A^-calculus [9] fall out 
as special cases of constructions from Figure [5j 

9. Applicability of results 

We have given a semantic account of relational parametricity in the presence of com- 
putational effects. From our working perspective within IZF, this is parametrized on being 
given categories C and A and families of relations TZc and TZ_a, satisfying axioms (Cl)- 
(C4), (A1)-(A4) and (R1)-(R4). Moreover, Proposition 13.51 shows that such data can be 
obtained whenever one has a monad T on a category C satisfying (C1)-(C4). 

To conclude the paper, we outline how this theory might actually be applied to prove 
properties of polymorphic programs with effects. Suppose we have some given polymorphic 
A-calculus L with a choice of effect-primitives as the programmming language of interest. 
The basic idea is to formulate both the operational and denotational semantics of L within 
IZF. The operational semantics is treated in the standard way, for which the use of classical 
logic is inessential. The denotational semantics is developed using the assumption of a 
category C satisfying (C1)-(C4). The construction of A and TZc s>.nd TZj[ will depend 
upon the effects present in the language. For (a simple) example, if the only effect is 
nondeterministic choice then T can be defined to be the free-semilattice functor over C, and 
the entire model is then obtained via Proposition 13.51 For general effects, the construction 
of the model will be more complex than this, especially in the presence of recursion, cf. [35] . 
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Indeed, there is need for a uniform theory of how to build such models; some hints in this 
direction appear in [30] . 

Once one has both operational semantics and model, the next step is to prove, within 
IZF, a computational adequacy result for the model, implying that the model is sound with 
respect to operational equivalence. In examples considered hitherto, such proofs have been 
obtained by standard logical-relations-based methods [371 EH ESj . They rely only on having 
some appropriate non-triviality property of C (for example, that the natural numbers is an 
object of C [37J). 

Computational adequacy allows one to transfer equational properties of the denota- 
tional semantics to the operational semantics. However, the above development has taken 
place in IZF, together with the assumption of a category C satisfying (C1)-(C4). We can 
therefore infer operational properties within this metatheory; but, of course, we want to be 
sure that such properties are actually true in the real world. The remaining step is to use 
a transfer property which allows us to conclude exactly this. 

The transfer property is based on the existence of realizability models of IZF which 
possess within them categories C satisfying (C1)-(C4) and containing the natural numbers 
as an object. As already discussed in Section [3l such models derive from the work of Hyland 
et. al. on small-complete small categories [lOl I12j . Now, the relevant realizability models 
all enjoy the property of being 112-absolute, meaning that a n2-sentence holds in the model 
if and only if it is true externally. This implies that properties of operational equivalence 
that are true in the model are indeed true in reality, see [37^ l39| [35] for related arguments. 

We have outlined a programme of how one can potentially use the theory of parametric- 
ity developed in this paper to derive operational properties of programs. It would be good 
to have examples of such applications worked out in computationally interesting cases. 

There is, of course, a significant drawback with the intuitionistic-set-theory-based ap- 
proach we have been following. The mathematical overheads are considerable. It seems 
likely that a more practical theory of parametricity for effects should be achievable using 
direct operational methods. We leave this as an interesting direction for future research. It 
is plausible that the denotational approach we have been following in this paper might be 
useful in informing the development of such an operational theory. 
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